我尝试在任何Kube从属节点上运行:
$ kubectl top nodes
并收到错误:
Error from server (Forbidden): User "system:node:ip-10-43-0-13" cannot get services/proxy in the namespace "kube-system". (get services http:heapster:)
在主节点上,它可以工作:
$ kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
ip-10-43-0-10 95m 4% 2144Mi 58%
ip-10-43-0-11 656m 32% 1736Mi 47%
ip-10-43-0-12 362m 18% 2030Mi 55%
ip-10-43-0-13 256m 12% 2412Mi 65%
ip-10-43-0-14 254m 12% 2512Mi 68%
好的,我该怎么办?授予我认为system:node组的权限
kubectl create clusterrolebinding bu-node-admin-binding --clusterrole=cluster-admin --group=system:node
没有帮助
好的,检查群集角色:
$ kubectl describe clusterrole system:node
Name: system:node
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get]
endpoints [] [] [get]
events [] [] [create patch update]
localsubjectaccessreviews.authorization.k8s.io [] [] [create]
nodes [] [] [create get list watch delete patch update]
nodes/status [] [] [patch update]
persistentvolumeclaims [] [] [get]
persistentvolumes [] [] [get]
pods [] [] [get list watch create delete]
pods/eviction [] [] [create]
pods/status [] [] [update]
secrets [] [] [get]
services [] [] [get list watch]
subjectaccessreviews.authorization.k8s.io [] [] [create]
tokenreviews.authentication.k8s.io [] [] [create]
尝试修补规则:
kubectl patch clusterrole system:node --type='json' -p='[{"op": "add", "path": "/rules/0", "value":{"apiGroups": [""], "resources": ["services/proxy"], "verbs": ["get", "list", "watch"]}}]'
现在:
$ kubectl describe clusterrole system:node
Name: system:node
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
...
services/proxy [] [] [get list watch]
...
top nodes仍然无法正常工作
唯一可行的方法是:
kubectl create clusterrolebinding bu-node-admin-binding --clusterrole=cluster-admin --user=system:node:ip-10-43-0-13
这也有效,但它也是特定于节点的:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: top-nodes-watcher
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["get", "watch", "list"]
---
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: top-nodes-watcher-binding
subjects:
- kind: User
name: system:node:ip-10-43-0-13
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: top-nodes-watcher
apiGroup: rbac.authorization.k8s.io
我应该为每个从节点应用它。我可以只针对一个团队或角色吗?我做错了什么?
更多详情:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:48:23Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.2", GitCommit:"922a86cfcd65915a9b2f69f3f193b8907d741d9c", GitTreeState:"clean", BuildDate:"2017-07-21T08:08:00Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
我真正需要它的物理节点内存和CPU使用率%
请注意
答案 0 :(得分:1)
要简单地解决这个问题(在所有从属节点中使用kubectl顶级节点),您可以将您的kubectl在主服务器上使用的kubeconfig复制到所有其他从属服务器。
为了解释你遇到这个问题的原因,我认为你在奴隶节点中使用kubelet的kubeconfig作为你的kubectl。(如果没有,请纠正我。)
在k8s v1.7 +中,kubernetes已弃用 system :: node 角色,而不是默认使用Node authorizer和NodeRestriction。您可以从here阅读有关 system :: node 的文档。因此,当您尝试修补system :: node时,它将无法生效。 Kubelet使用指定的 system:node:[node_name] 来约束指定节点的行为。
答案 1 :(得分:0)
我最后接下来:
NodeRestriction kube-apiserver选项--admission-control
Node选项中移除了--authorization-mode,只留下了RBAC system:node kubectl patch clusterrole system:node --type='json' -p='[{"op": "add", "path": "/rules/0", "value":{"apiGroups": [""], "resources": ["services/proxy"], "verbs": ["get", "list", "watch"]}}]'个角色